800-53|AC-2

Title

ACCOUNT MANAGEMENT

Description

The organization:

Supplemental

Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

Reference Item Details

Related: AC-10,AC-17,AC-19,AC-20,AC-3,AC-4,AC-5,AC-6,AU-9,CM-11,CM-5,CM-6,IA-2,IA-4,IA-5,IA-8,MA-3,MA-4,MA-5,PL-4,SC-13

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure a separate user and group exist for Cassandra - groupUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - groupUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - passwdUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - passwdUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - user exists in groupUnixCIS Apache Cassandra 3.11 L2 Unix Audit v1.0.0
1.1 Ensure a separate user and group exist for Cassandra - user exists in groupUnixCIS Apache Cassandra 3.11 L1 Unix Audit v1.0.0
1.1 Ensure that Corporate Login Credentials are UsedGCPCIS Google Cloud Platform v2.0.0 L1
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.1.1 Enable 'aaa new-model'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
1.1.1.1 Ensure mounting of udf filesystems is disabled - lsmodUnixCIS Google Container-Optimized OS L2 Server v1.1.0
1.1.1.1 Ensure mounting of udf filesystems is disabled - modprobeUnixCIS Google Container-Optimized OS L2 Server v1.1.0
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.2 Enable 'aaa authentication login'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.1.2 Enable 'aaa authentication login'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.1.2 Enable 'aaa authentication login'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
1.1.2 Ensure only trusted users are allowed to control Docker daemonUnixCIS Docker v1.6.0 L1 Docker Linux
1.1.2 Ensure two emergency access accounts have been definedmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.0.0
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.3 Enable 'aaa authentication enable default'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.1.3 Enable 'aaa authentication enable default'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.1.3 Enable 'aaa authentication enable default'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.1.3 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2016 STIG MS L1 v1.1.0
1.1.3 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'WindowsCIS Microsoft Windows Server 2016 STIG DC L1 v1.1.0
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows Server 2019 STIG MS L1 v1.0.1
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows Server 2019 STIG DC L1 v1.0.1
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
1.1.3 Ensure that between two and four global admins are designatedmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.0.0
1.1.3.1.2 Configure 'Accounts: Rename guest account'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.1.3 Set 'Accounts: Administrator account status' to 'Disabled'.WindowsCIS Windows 8 L1 v1.0.0
1.1.3.1.4 Configure 'Accounts: Rename administrator account'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.1.5 Set 'Accounts: Guest account status' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.4 Ensure 'Minimum password age' is set to '1 or more day(s)'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0